Presentation is loading. Please wait.

Presentation is loading. Please wait.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Published byGyles Jenkins Modified over 9 years ago

Similar presentations

Presentation on theme: "BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization."— Presentation transcript:

1 BY- NIKHIL TRIPATHI 12MCMB10

2  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization  Selecting the right Firewall  References

3 o Any device that prevents specific type of informations from moving between two networks -Between the outside (untrusted network: e.g., the Internet), and the inside (trusted network) o May be -a separate computer system -a service running on an existing router, server -separate network of supporting devices

4 Can o Limit access -Separate different parts of a network -Dynamically change permissions o Enforce security policy o Monitor/log activity

5 Cannot o Protect against malicious insiders o Protect against connections not passing through it (e.g. direct dialup). o Limited use against viruses

6 Packet filtering firewalls o First generation firewalls o Simple networking devices that filter packets by examining every incoming and outgoing packet header o Selectively filter packets based on values in the packet header o Can be configured to filter based on IP address, type of packet, port request, and/or other elements present in the packet

7 Typically use filtering rules based on IP addresses, Direction, port numbers.

8 o Application-level firewalls -Second generation firewalls -dedicated computers kept separate from the first filtering router (edge router) --The proxy server, rather than the Web server, is exposed to the outside world from within a network segment called the demilitarized zone (DMZ), an intermediate area between a trusted network and an untrusted network

9 o Stateless vs stateful inspection o Stateless: simple, memoryless, oblivious o Stateful inspection firewalls -Third generation firewalls -Keeps track of each network connection established between internal and external systems using a state table -State tables track the state and context of each packet.

10 o Stateful inspection firewalls (cont’d.) -Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts

11 o Does not examine packet contents, only headers o Application level firewalls examine packet contents

12

13 o Application aware o client and the server connect to these proxies instead of connecting directly to each other o can look in to individual sessions o can drop a packet based on information in the application protocol headers or in the application payload.

14 o IP address hiding/translation o Header modification o Content-based filtering (prevent sensitive data from being emailed out) o URL filtering o MIME filtering

15 o End-to-end semantics lost o Slower processing, lower throughput o Not all applications amenable to this strategy

16 o Each firewall generation can be implemented in several architectural configurations o Common architectural implementations -Packet filtering routers -Screened-host firewalls -Dual-homed host firewalls -Screened-subnet firewalls

17 o Most organizations with an Internet connection use some form of router between their internal networks and the external service provider -Many can be configured to block packets that the organization does not allow into the network -Such an architecture lacks auditing and strong authentication -The complexity of the access control lists used to filter the packets can grow to a point that degrades network performance

18

19 o Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server o Allows the router to screen packets -Minimizes network traffic and load on the internal proxy o The application proxy examines an application layer protocol, such as HTTP, and performs the proxy services o Bastion host -A single, rich target for external attacks -Should be very thoroughly secured

20

21 o The bastion host contains two network interfaces -One is connected to the external network -One is connected to the internal network -Requires all traffic to travel through the firewall to move between the internal and external networks o Network-address translation (NAT) is often implemented with this architecture, which converts external IP addresses to special ranges of internal IP addresses o These special, nonroutable addresses consist of three different ranges: -10.x.x.x: greater than 16.5 million usable addresses -192.168.x.x: greater than 65,500 addresses -172.16.x.x - 172.31.x.x: greater than 1 million addresses

22 o A host firewall (not router) with 2 NICs placed between external and internal router. o More isolation, higher cost, slower processing, single point of failure

23

24 o Consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network o The first general model uses two filtering routers, with one or more dual- homed bastion hosts between them o The second general model shows connections routed as follows: -Connections from the untrusted network are routed through an external filtering router -Connections from the untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ -Second general model (cont’d.) --Connections into the trusted internal network are allowed only from the DMZ bastion host servers

25

26 o Firewall technology: -What type offers the right balance between protection and cost for the organization’s needs? o Cost: -What features are included in the base price? At extra cost? Are all cost factors known? o Maintenance: -How easy is it to set up and configure the firewall? -How accessible are the staff technicians who can competently configure the firewall? o Future growth: Can the candidate firewall adapt to the growing network in the target organization?

27  http://www.firewall.com http://www.firewall.com  Cryptography and Network Security by William Stallings  Computer Networks by Andrew S. Tanenbaum  http://www.wikipedia.org http://www.wikipedia.org

28

29

Download ppt "BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google